Critics question whether NSA data collection is effective

The recently revealed mass collection of phone records and other communications by the U.S. National Security Agency may not be effective in preventing terrorism, according to some critics.

The data collection programs, as revealed by former NSA contractor Edward Snowden, is giving government agencies information overload, critics said during the Computers, Freedom and Privacy Conference in Washington, D.C.

"In knowing a lot about a lot of different people [the data collection] is great for that," said Mike German, a former U.S. Federal Bureau of Investigation special agent whose policy counsel for national security at the American Civil Liberties Union. "In actually finding the very few bad actors that are out there, not so good."

The mass collection of data from innocent people "won't tell you how guilty people act," German added. The problem with catching terrorism suspects has never been the inability to collect information, but to analyze the "oceans" of information collected, he said.

Mass data collection is "like trying to look for needles by building bigger haystacks," added Wendy Grossman, a freelance technology writer who helped organize the conference.

But Timothy Edgar, a former civil liberties watchdog in the Obama White House and at the Office of Director of National Intelligence, partly defended the NSA collection programs, noting that U.S. intelligence officials attribute the surveillance programs with preventing more than 50 terrorist actions. Some critics have disputed those assertions.

Edgar criticized President Barack Obama's administration for keeping the NSA programs secret. He also said it was "ridiculous" for Obama to suggest that U.S. residents shouldn't be concerned about privacy because the NSA is collecting phone metadata and not the content of phone calls. Information about who people call and when they call is sensitive, he said.

But Edgar, now a visiting fellow at the Watson Institute for International Studies at Brown University, also said that Congress, the Foreign Intelligence Surveillance Court and internal auditors provide some oversight of the data collection programs, with more checks on data collection in place in the U.S. than in many other countries. Analysts can query the phone records database only if they see a connection to terrorism, he said.

The U.S. has some safeguards that are "meaningful and substantive, although I'm sure many in this room ... and maybe even me, if I think about it long enough, might think they're not good enough," Edgar said.

While German noted that the NSA has reported multiple instances of unauthorized access by employees to the antiterrorism databases, Edgar defended the self-reporting. "It's an indication of a compliance system that's actually meaningful and working," he said. "If you had a compliance system that said there was no violation, there were never any mistakes, there was never any improper targeting that took place ... that would an indication of a compliance regime that was completely meaningless."

The mass data collection combined with better data analysis tools translates into an "arms race" where intelligence officials try to find new connections with the data they collect, said Ashkan Soltani, a technology and privacy consultant. New data analysis tools lead intelligence officials to believe they can find more links to terrorism if they just have "enough data," but that belief is "too much sci fi," he said.

"This is the difficult part, if you're saying that if we have enough data we'll be able to predict the future," the ACLU's German said.

Many U.S. intelligence officials are suspect of tech vendor claims about predictive analysis, Edgar countered. However, link analysis -- the tracking of suspects through communications with other known criminals or terrorists -- is a "very powerful tool," he said. It may be possible to use sophisticated cryptographic techniques to do that kind of analysis without the bulk collection of phone records, he said.

"The [internal] compliance regime is not the best answer for privacy," Edgar said. "The best answer is not to take the data in the first place, then you don't have to worry about compliance."

The ACLU has concerns about link analysis, because it creates a massive list of suspicious people that overwhelms investigators, German said. "What link analysis creates is suspicion upon the people that suspicious people are linked to," he said. "That growing cloud of suspicion can never been cleared."

Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant's e-mail address is grant_gross@idg.com.

Copyright 2015 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.